├── requirements.txt
├── dns_cat_png_extractor.py
└── README.md


/requirements.txt:
--------------------------------------------------------------------------------
1 | Pillow==10.1.0
2 | scapy==2.5.0
3 | 


--------------------------------------------------------------------------------
/dns_cat_png_extractor.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import argparse
 3 | from scapy.all import rdpcap, DNSQR, DNSRR
 4 | from PIL import Image
 5 | import io
 6 | 
 7 | def extract_dns_queries(pcap_file, domain_to_replace):
 8 |     """ Extract DNS queries from a pcap file and concatenate them. """
 9 |     concatenated_queries = b''
10 |     last_query = b''
11 |     domain_to_replace = domain_to_replace.encode()
12 | 
13 |     for packet in rdpcap(pcap_file):
14 |         if packet.haslayer(DNSQR) and not packet.haslayer(DNSRR):
15 |             query_name = packet[DNSQR].qname
16 |             #print("Qname: ", query_name)
17 | 
18 |             query = query_name.replace(domain_to_replace, b'').strip().split(b'.')
19 |             #print("Hex: ", query)
20 | 
21 |             query = b''.join(part for part in query)[18:]
22 |             #print("Concat: ", query)
23 | 
24 |             if last_query != query:
25 |                 #print(query)
26 |                 concatenated_queries += query
27 | 
28 |             last_query = query
29 | 
30 |     return concatenated_queries
31 | 
32 | def hex_to_bytes(ascii_hex_data):
33 |     """ Convert ASCII representation of hexadecimal data to bytes. """
34 |     try:
35 |         return bytes.fromhex(str(ascii_hex_data, "latin-1"))
36 |     except ValueError:
37 |         print("Invalid hexadecimal data")
38 |         return None
39 | 
40 | def find_png_data(hex_data):
41 |     """ Search for PNG data within a byte string. """
42 |     png_regex = re.compile(rb'89504e470d0a1a0a(.*?)49454e44ae426082')
43 |     matches = png_regex.search(hex_data)
44 | 
45 |     if matches:
46 |         return b'89504e470d0a1a0a' + matches.group(1) + b'49454e44ae426082'
47 |     else:
48 |         return None
49 | 
50 | def write_png_file(png_data, filename):
51 |     """ Write PNG data to a file in binary mode. """
52 |     with open(filename, "wb") as png_file:
53 |         png_file.write(png_data)
54 |         return filename
55 | 
56 | def open_png_image(image_path):
57 |     """ Open and display a PNG image. """
58 |     try:
59 |         with Image.open(image_path) as img:
60 |             img.show()
61 |     except IOError:
62 |         print(f"Error opening image file: {image_path}")
63 | 
64 | # Argument parsing
65 | parser = argparse.ArgumentParser(description='Extract PNG images from DNS queries in pcap files.')
66 | parser.add_argument('pcap_file', help='The pcap file to process.')
67 | parser.add_argument('-d', '--domain', help='The domain to replace in DNS queries.', default='.jz-n-bs.local')
68 | args = parser.parse_args()
69 | 
70 | # Ensure domain ends with a period
71 | if not args.domain.endswith('.'):
72 |     args.domain += '.'
73 | 
74 | # Main process
75 | try:
76 |     pcap_filename = args.pcap_file
77 |     hex_data = extract_dns_queries(pcap_filename, args.domain)
78 |     #print("Hex version: ", hex_data)
79 | 
80 |     png_data = find_png_data(hex_data)
81 |     byte_data = hex_to_bytes(png_data)
82 | 
83 |     if byte_data:
84 |         image_path = write_png_file(byte_data, "result.png")
85 |         open_png_image(image_path)
86 |     else:
87 |         print("No PNG images found in the data.")
88 | 
89 | except Exception as e:
90 |     print("An error occurred:", e)
91 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # DNSCat-PNG-Extractor
 2 | 
 3 | ## Overview
 4 | 
 5 | DNSCat-PNG-Extractor is a Python tool designed to extract PNG images embedded within DNS queries in pcap files. It's particularly useful in scenarios involving DNS exfiltration using tools like `dnscat`. The script parses pcap files, identifies hidden PNG data within DNS queries, and reconstructs the images for analysis.
 6 | 
 7 | ## Features
 8 | 
 9 | - **DNSCat Traffic Analysis**: Parses pcap files to detect and process `dnscat` communication patterns.
10 | - **PNG Image Extraction**: Extracts PNG images from fragmented DNS query data.
11 | - **Custom Domain Replacement**: Offers an option to specify a custom domain for filtering DNS queries.
12 | - **Image Display**: Utilizes Python Imaging Library (PIL) to display the extracted PNG image.
13 | - **Command-Line Interface**: Easy to use with command-line arguments for file processing and optional domain specification.
14 | 
15 | ## Installation
16 | 
17 | 1. **Clone the Repository**:
18 |    ```bash
19 |    git clone https://github.com/Cyber-Experts/DNSCat-PNG-Extractor.git
20 |    ```
21 | 2. **Install Dependencies**:
22 |    - Ensure you have Python installed on your system.
23 |    - Install necessary Python packages:
24 |      ```bash
25 |      pip install -r requirements.txt
26 |      ```
27 | 
28 | ## Usage
29 | 
30 | Run the script by providing the pcap file as a required argument. Optionally, specify a domain to replace in DNS queries:
31 | 
32 | ```bash
33 | python dns_cat_png_extractor.py <pcap_file> -d <domain_to_replace>
34 | ```
35 | 
36 | - `<pcap_file>`: The path to the pcap file you want to analyze.
37 | - `<domain_to_replace>`: Specify the domain to be replaced in DNS queries.
38 | 
39 | ## Example
40 | 
41 | ```bash
42 | python dns_cat_png_extractor.py yourfile.pcap -d 'jz-n-bs.local'
43 | ```
44 | 
45 | ## Output
46 | 
47 | The script processes the pcap file, identifies any PNG images within DNS queries, reconstructs the images, saves them as `result.png`, and displays the image using PIL.
48 | 
49 | ## Contributing
50 | 
51 | Contributions are welcome! Feel free to fork the repository, make your changes, and submit a pull request. For significant changes, please open an issue first to discuss what you would like to change.
52 | 
53 | ## License
54 | 
55 | DNSCat-PNG-Extractor is released under the [MIT License](LICENSE).
56 | 
57 | ## References
58 | 
59 | The development of the DNSCat-PNG-Extractor tool was significantly informed and enriched by the following resources. These references provided crucial insights into DNS exfiltration, the workings of `dnscat`, and the PNG format, which were essential in shaping the tool's capabilities and functionalities:
60 | 
61 | - **HackTricks - DNSCat Exfiltration**: This resource provided a foundational understanding of pcap inspection and DNSCat exfiltration. [Read more](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration).
62 | - **CTF Write-Ups - DNSCap**: The challenges and solutions detailed here, particularly from BSidesSF 2017 CTF involving `dnscap`, offered practical insights that helped guide the development process. [Explore the write-ups](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap).
63 | - **DNSCat2 Protocol Documentation**: [View the documentation](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md).
64 | - **Wikipedia - PNG (Portable Network Graphics)**: The detailed information about the PNG format. [Learn about PNG](https://en.wikipedia.org/wiki/PNG).
65 | 
66 | 
67 | 


--------------------------------------------------------------------------------